Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to optimize my dashboard panel

klim
Path Finder
‎06-09-2023 11:29 AM

I have a search that gets the top users over a long periods of time . It also displays the most common field X value which can be any value.

So it would be something like: index=some_index | stats count mode(field_X) by user | sort - count | head 10

That takes 30 seconds for 5 million events for 1 day of data. I want to run this for longer periods of time like a month or even longer.

Is the best method to increase performance to just summary index the above example but just removing the top 10 part? 

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-09-2023 02:49 PM

Hi @klim ...actually you should provide us more details..

1.  how big is the index you are querying, approx

2. the dashboard got how many panels.. the dashboard SPL query if you can share with us, that would be perfect. 

3. old classic dashboard or the new dashboard studio ?!?!

4. are you using "base search"?..if not, then.. 
if you have got multiple panels, then, using a "base search" to create the base results and on each panel you can re-use the base search results and do remaining tasks.. that would increase the performance pretty good. you can search for base search and you can find many posts here this community. 

if u r having any specific 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

klim
Path Finder
‎06-09-2023 03:02 PM

@Anonymous 

The index is ~1.5 TB.

I can't share the dashboard panels with you but they don't use the same base search. It is a bunch of panels that show the top counts of fields with high variance. But even with just one of these searches how could we improve performance so that it finishes a month of data in a reasonable amount of time?

I am using the old dashboard but could use the new one.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...